The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Forefront Dermatology Proposes $3.75 Million Settlement to Resolve Ransomware Lawsuit

The Wisconsin-based dermatology practice, Forefront Dermatology, has agreed to settle a class action lawsuit filed on behalf of patients whose protected health information (PHI) was compromised in a ransomware attack in late May 2021.

Forefront Dermatology has affiliated practices in 21 states and Washington D.C. In May 2021, the practice was targeted by the Cuba ransomware gang, which gained access to its network and exfiltrated files from the network before encrypting data. The gang then dumped some of the stolen data on its dark web data leak site to pressure the practice into paying the ransom. According to Forefront Dermatology’s data breach notice, the attack was detected on June 4. The forensic investigation confirmed the attackers potentially accessed and stole files containing the PHI of up to 2.4 million employees and patients. That information included names, dates of birth, account numbers, health insurance information, Social Security numbers, medical record numbers, medical and treatment information, and other sensitive data.

A class action lawsuit was filed in the U.S. District Court for the Eastern District of Wisconsin shortly after patients were notified about the breach, which alleged Forefront Dermatology had failed to implement adequate data security protocols, including permitting the use of “incredibly simplistic passwords,” and had maintained patient data “in a reckless manner”.  The lawsuit alleged the ransomware attack and data breach was made possible due to those security failures, and that Forefront Dermatology was aware of the risk of a data breach and had the resources to implement appropriate data security measures but failed to do so.

The lawsuit takes issue with the month-long delay in issuing breach notification letters, and the conflicting statements provided to patients and the Maine attorney general, with the latter informed that Social Security numbers had been stolen when patients were told that information such as Social Security numbers, driver’s license numbers, and financial account/payment card information was not accessed or stolen.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleges the plaintiffs – Judith Leitermann, Lynn Anderson, And Milan E. Kunzelmann – and similarly affected individuals have been exposed to a heightened and imminent risk of fraud and identity theft, and that their PHI is now in the hands of criminals. AS a result of the alleged negligence of Forefront Dermatology, the plaintiffs and class members must closely monitor their financial accounts to guard against identity theft and have and will continue to incur out-of-pocket costs for protective measures to deter and detect identity theft.

Forefront Dermatology has not admitted any wrongdoing and accepts no liability for the data breach, but chose to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. Forefront Dermatology proposed a $3.75 million settlement to resolve all claims related to the data breach.

Under the terms of the settlement, class members are entitled to claim up to $10,000 for documented losses from identity theft, credit-related costs, bank fees, communication charges, and fraudulent charges, as well as claim up to five hours of lost time at $25 per hour, and may also sign up for one year of free credit monitoring services. Class members may opt out of receiving expense reimbursement and credit monitoring services and will instead receive a cash fund payment, the value of which will depend on the number of participating class members.

Class members have until January 24, 2023, to object to or exclude themselves from the settlement, and until February 8, 2023, to submit a claim. The final approval hearing has been scheduled for March 1, 2023

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist